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(57) ABSTRACT 

An authentication system of a terminal on a public switched 
telephone network provides a security node associated with 
a local exchange and a network terminal. For one-way 
authentication, the terminal responds to a call initiation by 
sending a unique authentication code comprising a number 
and a secret key encrypted according to a first algorithm, the 
secret key being specific to the terminal. The security node 
constructs the expected authentication code from the 
number, using the first algorithm and a second key which is 
a function of a terminal identification number, and compares 
the expected code with the received code. In two-way 
authentication, the security node responds to the call initia- 
tion by sending a transaction number to the terminal 
encrypted according to a second algorithm. The terminal 
generates the authentication code as a function of the first 
algorithm, the secret key and the transaction number. The 
authentication code is sent back to the security node. An 
expected code is compared with the received one in the same 
way. In both cases, a match between expected and received 
authentication codes constitutes authentication of the termi- 
nal allowing the user access to the network. 

20 Claims, 1 Drawing Sheet 
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USER AUTHENTICATION IN A 
COMMUNICATIONS NETWORK 

This is a continuation of application No. PCT/GB95/ 
01937, filed Aug. 16, 1995. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates to terminal authentication in a 
communications network such as in a telecommunications 
network. 

2. Description of the Related Art 

In a typical network providing telephony, fax and asso- 
ciated services, such as a public switched telephone network 
(PSTN), customer premises equipment (CPE) is connected 
via network termination equipment (NTE) to the PSTN for 
mutual intercommunication via switches or exchanges 
which constitute nodes in the network. There are various 
levels of exchange. The exchange functionally nearest a 
customer's NTE, through which all calls to and from that 
customer may be routed, is known as the local exchange. 

A telephone service is usually 'post -payment' in nature, 
i.e. billing is carried out retrospectively over a period since 
the last billing date. Apart from the basic security aspect, it 
is desirable to be able to authenticate the use of service user 
equipment to minimise the opportunity for unauthorised 
access to the network, as this may lead to billing disputes 
with the customer. For example, if an unauthorised user taps 
into a customer's line between the NTE and the local 
exchange, any chargeable service provided to the unautho- 
rised user will be recorded as used by the authorised 
customer and billed accordingly. 

Various systems are known for providing authentication. 
For example, a calling-card-based system involves the user 
keying in, through the telephone, a sequence of numbers to 
establish the user's identity. Another example is the use of 
a button, programmed to send a personal identification 
number (PIN), on the telephone equipment which allows 
access to an enhanced level of service, or an alternative 
network, through the same local exchange. For more spe- 
cialist services this may be acceptable. However, such 
systems require the user to establish his or her identity as 
part of the call set-up procedure. 

Although this added complexity may not be a severe 
problem on more specialist or less frequently used services, 
it is still an inconvenience which it would be advantageous 
to remove from that part of the call set-up procedure carried 
out by the customer. This is particularly so when the 
customer is using a standard service on a frequent basis. 
Removing the authentication steps from the customer would 
streamline the procedure considerably. 

SUMMARY OF THE INVENTION 
The present invention provides a method of authenticating 
a network terminal on a communications network, the 
method comprising the steps of: 

indicating to a security node associated with the network 
that a user of the terminal requires use of the network; 
calculating an authentication code at the terminal, the 
authentication code being a function of a transaction 
number encrypted by means of a first key associated 
with the terminal, and a first algorithm; 
transmitting the authentication code to the security node; 
calculating an expected transaction number at the security 
node based on the transaction number, the first algo- 
rithm and the first key; 


10 


20 


comparing the expected authentication code with the 

received authentication code; and 
denying unrestricted access to the network for the termi- 
nal unless the expected and received authentication 
codes match. 

The terminal may be part of an NTE with which the 
security node communicates to establish authentication or 
not. Alternatively, the terminal may be part of the actual 
customer equipment connected with the network through the 
NTE. 

Preferably, the security node calculates at least one first 
key for the terminal, the or each first key being a function of 
a security algorithm stored within the node, the terminal 
identification code and a second key, the or each first key 
being loaded into the terminal for later use with the first 
algorithm in authenticating a terminal. Advantageously, the 
first key is a function of the terminal identification code 
encrypted by the second key using the security algorithm. 

In a preferred embodiment, the transaction number is a 
variable number which is changed after each authentication 
attempt. 

The security node may generate the transaction number, 
which is sent as a challenge to the terminal in response to the 
indication received by the security node that the user 
requires use of the network. 

Conveniently, the security node prevents access to the 
network for the terminal in the event that no match between 
the expected and received authentication codes is made 
within a predetermined duration. 

Preferably, the terminal transmits a negative acknowl- 
edgement to the security node in the event that no challenge, 
or an invalid challenge, is received following an indication 
that the user requires use of the network. 

The first key may be loaded into the terminal remotely by 
the security node, or locally from storage means connected 
temporarily to the terminal. 

Advantageously, the or each first key is identified at the 
security node by calculation from the terminal identification 
code. Alternatively, the or each first key is identified at the 
40 security node by means of a look-up table based on the 
terminal identification code. 

Preferably, the security node permits a dial tone to be 
established with the terminal independent of the result of the 
authentication. In this case, the security node may permit 
access to the network for identifiable emergency traffic 
and/or non-chargeable traffic in the event that the expected 
and received authentication codes do not match. 

The telecommunications network may have a plurality of 
exchanges, each for routing traffic to, and from, a plurality 
of terminals, at least one of the exchanges having the 
security node associated therewith. 

The invention also provides a system for authenticating 
terminals on a communications network comprising a secu- 
rity node and a plurality of terminals connected to the 
network through the node, at least one of the terminals 
comprising processing means including a memory, and 
terminal signalling means operably connected to the net- 
work and enabled by the processing means, the terminal 
signalling means being arranged to transmit to the security 
node an authentication code after a potential user initiates a 
use of the network, the authentication code being calculated 
by the processing means as a function of a transaction 
number encrypted by means of a first algorithm and a first 
key associated with that terminal, the security node being 
operable to calculate an expected authentication code from 
that terminal using the transaction number, the first algo- 
rithm also stored in the security node, and the first key, and 
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to deny unrestricted access to the network for that terminal a NTE 14 which is specific to a network customer. The NTE 

unless the expected and received authentication codes 14 is the interface between the network and the CPE 16 of 

match. that customer. The NTE 14 has a customer port 18, for 

The invention further provides a customer terminal for a example a master socket, by means of which the CPE 16 can 

communications network, the terminal comprising a cus- s be connected to the network, and a network port 20 by 

tomer port for customer equipment compatible to the mcans of which mc nctW0fk ^ connectcd to ^ customer 

network, a network port for connecting the terminal to the premises . Typically, the CPE 16 are telephone handsets or 

network, processing means including a memory, the pro- fax machincs 0Q ^ samc ^ honc numbcr 

cessing means being arranged to receive signals through the ri .„, . • i 

network port, and signalling means arranged to transmit , n , lt ^ bc appreciated, by the skilled person, that a typical 

signals through the network port, the processing means 10 te ^phone network will consist of many customers, each 

being operable, following initiation of use of the network by havm S a respective NTE 14 and each being connected to one 

a user, to calculate an authentication code which is a of a number of local exchanges 10 which, in turn, make up 

function of a transaction number encrypted by means of a an interconnected network of various levels of exchanges 

first algorithm and a first key associated with the terminal, (the PSTN). For reasons of clarity, FIG. 1 shows only one 

and to enable the signalling means to transmit the authen- 15 NTE 14, one local access line 12 and one local exchange 10. 

tication code through the network port. The NTE 14 is shown divided into two by a dotted line 21. 

Preferably, the signalling means is a modem, for example This is a notional demarcation to indicate that equipment to 

a FSK modem for data transmission on the network. the left of the line 21, as depicted in the drawing, is able to 

However, other signalling means may be used. For example, participate in authentication according to the invention, 

a dual tone multi-frequency (DTMF)-based system could be 20 whereas equipment connected to the local access line 12 to 

employed. ... the right is not. An unauthorised telephone 19 is shown 

The present invention replies only the authenticating CODnected t0 ^ , Qcal access Une 12 i e t0 (he rf ht of the 

equipment to be connected between the user s equipment, dotted line 21 

for example a telephone, and the security node governing ' 

authentication for the local exchange associated with the M FIG - 2 illustrates the NTE 14 of FIG. 1. A switch 22 is 

NTE. The authenticating equipment communicates crypto- connected between the customer port 18 and the network 

graphically with the security node to provide authentication port 20. The switch 22 is typically constituted by a relay (or 

of the equipment initiating a call (but not the individual user) similar means) which connects the telephone through when 

automatically. Thus, the authentication process takes place appropriate. A microprocessor 24, having a random access 

when the user lifts the handset, or otherwise initiates access memory (RAM) and a read only memory (ROM) 25, is 

to the network. The user does not have to insert a token or provided within the NTE 14. The authentication connection 

card, or key in an authorisation number. to the local exchange 10 through the NTE 14 also includes 

The authenticating equipment can be line or mains a frequency shift keying (FSK) modem 26. The FSK modem 

powered, and may conveniently be built into a housing 26 is operably connected to the local access line 12 for 

remote from customer equipment, for example the master connection to the local exchange 10 by means of a line 28, 

socket in the customer's premises to which the telephone 35 ^ ^ ^er the control of the microprocessor 24 via a line 

equipment is connected. Alternatively, the authenticating 30 ^ micr0 p rocessor 24 is also connected to the local 

equipment may be battery powered. access Une n b means of an iflterface 32 

While the invention is described in terms of authentica- . , 4 . , . Ca 

t . 'ac j 1 t c . i u v * * f A comprehensive telephone network often contains a 

tion to avoid fraudulent use of telephone lines, it is appli- . ^ r f , r , . .... ™ . , 

, . ... . . . /n mixture of analogue and digital switching. The local 

cable to other situations in which a discrimination is 40 <ft . , & ... ^™ ™ 

j . j .. c c , exchange 10 in this embodiment is based on a GEC Plessey 

required based on authentication of a user. For example, the ~ . to . t . T . , 0 t v , . J 

. « 11U a * 4 4* Telecommunications Limited System X digital exchange, 

invention may equally well be arranged to restrict access to ™. . , . ' „ 01 r , , & . 

J P. . 3 ,i • ■ r .* This is because the embodiment can use FSK-modem -based 

certain geographical areas on the basis of authentication. . „. - , . , . . . , . , . , . 

• • . - * • ,. , , . signalling for the telephone network local loop which is 

The invention is particularly applicable to a telecommu- b t1 & . . . . r . « , . , u e * 

. . i u l,' *, . i . i . AC currently only being installed in exchanges such as System 

mcations network, such as a public switched telephone 45 J J . j . . r • 

, XT ' . , c » ,i l X. It provides a generic data transfer capability operating at, 

network. However, the concept of a security node through - r . L -, / m \. i , , 

. ■ . ' ™. nr „„A~r iu» ~r „,u-~i* for example, 1200 bits/sec. The invention also extends to 

which the tramc passes, or under the governance ot which L * j ■ i . *• j ^ 

«rc*n jf c - * c iL other forms and implementations and some alternatives are 

tramc is allowed to pass from the terminal to the rest or the . r 

network, is applicable to other communications system given. . , 

c Q The System X platform consists of a central digital switch 

BRIEF DESCRIPTION OF THE DRAWINGS block (the Digital Switching Subsystem-DSS) which 

The invention can be put Into practice in various ways, switches 64 kBit/s digital circuits presented as 2 MBit/s 

some of which will now be described, by way of example, multiplexes. The DSS is controlled, via a Message Transfer 

with reference to the accompanying drawings, in which: Subsystem (MTS), by a central Call Processing Subsystem 

FIG. 1 is a schematic block diagram of a part of a 55 ( cps )- is a common control software, and runs on a 

telephone network according to the invention; proprietary bit-slice architecture processing platform (the 

FIG. 2 is a more detailed schematic block diagram of a Processor Utility Subsystem— PUS), 

network terminal forming part of the network of FIG. 1; Analogue telephony customers are connected to this 

FIG. 3 is a more detailed schematic block diagram of a structure by the Digital Subscriber's Switching System 

local exchange forming part of the network of FIG. 1; and 60 (DSSS) equipment, known as concentrators. This equipment 

FIG. 4 is a schematic diagram of an authentication pro- P rovides the «V ogue exchan & e Une facilities . deluding 

tocol message sequence. batterv feed > nD g in S current, supervisory tones and, through 

planned modifications, the FSK signalling facilities. 

DETAILED DESCRIPTION OF EXEMPLARY Considering only the analogue telephony service, call 

EMBODIMENTS 65 sel . up j s initiated by the customer going off-hook. This is 

Referring to the drawings, FIG. 1 shows a PSTN having delected by the DSSS which signals this, in a PCM signal- 

a local exchange 10 connected by a local access line 12 to ling time-slot, to the CPS via the DSS. The MTS and the 
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DSSS Handler process also execute on the PUS. The CPS through the NTE 14, and the customer can dial the number 

then returns instructions to the DSSS to set-up a switched desired. If the outcome of the authentication process is 

path through the DSSS, apply dial tone and connect a digit positive, i.e. there is a match between the response and the 

receiver. expected value, the call is allowed to proceed in the normal 

Referring to FIG. 3, at the local exchange 10 there is a 5 way. If, on the other hand, the expected and received values 

further FSK modem 34 for communicating with the NTE 14. do not match, a call is only allowed to proceed if it is 

The local exchange 10 constitutes a security node for recognised as either one to an emergency service or is 

those NTEs connected to the network through it, i.e. it acts otherwise a part of an allowable subset of calls which can be 

as a point through which all calls to, and from, the network made regardless of authorisation. One alternative to this is to 
must pass for each connected NTE. Thus, by enabling the 10 chargeable calls to be made, but for them to be logged 

local exchange (or the nearest node to the NTE) to conduct j}nd identified separately even though authentication has 

authentication will mean that all traffic will be passed to, or aj i?^' ktw , . , n 

blocked from, the network according to the outcome of the , ™ c ^ f ores J sec | et ^J 5 ?' "\ so . tha ! ^.scoej 

authentication process. ke y can be chan g ed > either each time authentication is tried 

. c c .j. .... or for any other reason. 

There are a number of options for providing authentica- 15 , t , „ 

\i7ui *u *u *■ 4- t r* • j ..j • , t > In a one-way system, an active challenge is not present, 

tion. While the authentication facility is described in relation , 3 A I t . B h a 

to the NTE 14, it could be embedded within the telephone, and ' he f^f 1 * no f. e does " ot " ee f!° ?a 

i.e. the CPE 16, or somewhere in between the NTE and the »™*er (tte transact™ number) n. When the NTE 14 goes 

• . off book, it generates a number m by a means previously 

. , agreed with the security node. This number m is encrypted 

The protocol for the two-way authentication process for 20 using the public algorithm F and the secret key S, to generate 

authenticating the equipment user is as follows: m allthcnticalion codc R=F (s m) ^ authent i cation 

1. The security node calculates a secret key Sj-f, (K TN), R ig then ^ ta ^ n0(Je ^ ^ . ^ 
where f y . is a security algonthm K is a secret key diver- ^ no(Je ^ ed r( f j E=F[fj(K,TN), 
sificahon key and TN is ^telephone number of the NTE m] ^ the ted authentication code with the 
14 to be authenticated (the NTE needs to store one secret 25 actual j R ^ for ^ authentication, only if E=R 
key for each value of j in its processor, j being a three bit does ^ authentication 

number in this embodiment); , n ejther me ^ s[em or me on , m 

2. & is loaded into the NTE during mstallation of the NTE mappropriate authoris i ng nte on a castaam; local access 
by the installer using a portable programmer or by the UQe n ^ m , 0 - de me 

correct authentication mes- 

local exchange 10 down the local access line 12; 30 gage ^ ft Qumber of a te (gay ^ ^ 

3. The user s telephone goes off-hook; node ^ similarl deny complete access t0 me illegitimate 

4. The security node recognises the change in condition, and equipment 

identifies the telephone number of the user as in a con- ^ n A :ii„„<_^„ ~r ■ 11; • 

, if HG. 4 illustrates the sequence or signalling messages in 

venUonal network; a ^.^y implementation of the authentication protocol. It 

5. THe security node generates a random number (the 35 be not ed that the secui itv node is shown separate from 

t ? n S^° 1 n . nUm 0 WhlC 5 " ( l° g ^u T" 1 }) }° ^ local exchange 10 for the sake of clarity of illustration, 

the NTE 14, in response to detecting the off-hook condi- ^ QUgb the xcwity node can be ^p,^,,^ as part o{ the 

„ Ij? n ' _, , , ... , . , „ „ local exchange. In a unidirectional implementation, the 

£* NTE calculates an authentication code m reply R-F . challenge . and 'Response' transmissions are not sent. The 

(S y , n), where Fis a public algonthm and sends it to the ao . off-Hook' condition is automatically followed by transmis- 

secunty node. The reply R and the telephone number TN sion of the authenticat i on co de and the code identifying the 

together make up an authentication message on which the ^ „ access (Q ^ network 
security node is able lo perform authenUcation; and The fflost sensitivc of ^ authcnticalion - a the sccu . 

™ n \ V D °, calculate L s *e expected reply E=F rf al rithin f ^ ^ onl b the xtyia , ovider 

[f.OCTNO.n] and compares this expected authentication 45 ^ , he ^ node >( ^ loca , exch 10 . ^ 

code with the actual reply R^nly it E=R does the puWic algorithnl p j s a f lrsl line of encrypted defence, but is 

authentication succeed. more exposed to analysis as it is stored within each installed 

When a telephone goes off-hook on a line equipped with aulbentication nje 14 . The security of ^ au t henticat ion 

the authenticahng equipment, and loaded with S /( and is therefore , rests lareely with the sophistication of the 

connected to a local loop arranged to provide a security 50 encrvption performed under the security algorithm kept in 

node, the telephone identity is made available to the local (he security node 

exchange 10 from the telephone number in the conventional The cryptographic requirements of the public algorithm F 

way Of course, a separate identification number could be and , he xauil algori thm t should include the following: 
used for the purpose of identifying the NTE 14. It is x „ , - , t . ' , 

c j (U * Tl j t >c • j u , L c a) F and L should not be the same; 

preferred that the same identifier is used both for conven- 55 , . . « , 

tional purposes, and for the system of the invention. The b > dcd ^ S l*? m accumulated challenge/response/TN 
local exchange 10 generates the random number n and sends tr * les should be computationally infeasible; 

it, together with j, to instruct the terminal which secret c ) deducing the response for a given new challenge from 
number Sy to use, and to act as an FSK challenge on the local accumulated challenge/response/TN triples should be 

access line 1 to the NTE 14. The NTE 14 then calculates its 60 computationally infeasible; 

authentication code R in response, and sends that back to the d ) deducing K from accumulated TN/S y pairs should be 
local exchange 10 (also on the local access line 12) to computationally infeasible; 

complete the authentication message started with the NTE e) deducing S, for a given TN from accumulated TN/Sy 
identifier. pairs should be computationally infeasible; 

The local exchange security node compares the response 65 f) the range of values of the challenge should be large 
R with the expected value E. Whether the authentication has enough for the probability of a given value of challenge 

succeeded or not, a dial tone is then returned to the telephone being repeated to be minimised; 
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g) K and S should each be long enough for the system to either to ignore or to respond to by sending a negative 
be proof against exhaustive search; and acknowledgement message back to the security node. 

h) K and S should be long enough for the system to be It is preferable that the authentication process is active on 
proof against the birthday paradox, i.e. the possibility a per call basis. This will ensure that the network validates 
of an attacker increasing his chances of success by 5 each call, allowing early identification of the calling appa- 
finding K/S pairs instead of choosing K (or S) and ra tus before allowing a chargeable call to be made, 
trying to find S (or K). Otherwise, the customer may dispute the bill since calls 

Examples of the presently considered best practice for billcd t0 tnat account could still be unauthenticated. 

both F and f} are the well-known Triple-DES (Data Encryp- operation of a telephony service may be modelled in 

tion Standard) and the International Data Encryption Algo- 1Q tcm3S of a scqucncc of states a call may g0 through . Th esc 

rithm which is described m ' A Proposal for a New ; Block s and (he relationship between stateS) form what is 

Encryption Standard by Lai and Masse y, published by termed a (callmoder . Analysis of the call model reveals that 

M P T7? r pyfDn^DVPTon %za 1D k° ^aT there ™ a Qumber of opportunities for introducing an 

No.473: EUROCRYPT 90, p.389, in which it is called the thenticati n attem t 

proposed European Encryption Standard. a A 41 . . , 

If the original f, were disclosed, the security ofthesystem 15 .According to the invention, u i attempt is made to au hen- 

would be compromised. Adding the secret key diversifies tic f e user has indicated a wish to make a call, but 

tion key K means that the security of the system depends on before the dial tone is relieved. This dictates that the network 

K, not f It is preferred to keep f} private, but if it is disclosed recognises the 'off-hook' condition, and initiates an authen- 

the security of the system would not automatically be tication attempt whenever this state occurs, 

compromised. 20 In the alternative, authentication may be carried out after 

The embodiment of the invention in FIGS. 1 to 3 makes dial tone. This requires clearly defined rules governing when 

use of a processing capability located in the local exchange and how an authentication interchange is initiated. 

10, along with the FSK modem 34, operably connected at Otherwise, normal telephony service may be degraded, since 

the exchange line card interface. The appropriately pro- the authentication process may be too obtrusive to the user 

grammed exchange line card interface, together with the 25 or, at worst, the service too cumbersome for the user ever to 

FSK modem 34, constitute the security node determining the bother using. 

authentication. Because one of the main considerations in There are essentially three existing opportunities for intro- 

providing authentication is the secrecy of the security ducing an authentication sequence once dial tone 

algorithm, the invention requires additional equipment at the (unauthenticated) has been received. First, there is the 

local exchange 10 in relatively low volumes, and could be 30 possibility of introducing an authentication sequence after 

produced by the network proprietor. This ensures that sen- dialling but before ringing tone. Second, there is the possi- 

sitive security algorithm information does not have to be bility of invoking an authentication sequence via a register 

released to other service equipment producers, or on an recall function at some point. Third, there is the possibility 

otherwise inappropriately wide basis. of introducing an authentication sequence at call termina- 

When the secret number Sj is loaded into the processor of 35 tion, 

the NTE 14, it may be done by the service customer calling The authentication before dial tone protocol offers the 

a number which will connect the NTE to an initialising most practicable network solution. This is because it is seen 

facility which automatically interrogates the NTE processor to offer a less obtrusive and more easily automated mecha- 

for the NTE number, loads the appropriate suite of secret nism. 

numbers, or replenishes spent secret numbers, and advises 40 A requirement for the authentication protocol to be used 

the customer that the task has been completed. The local in an authentication process is a transfer of security data 

loading of the secret numbers is an alternative or an adjunct between the two end points constituted by the NTE 14 and 

to remote loading. In the latter case, if the security of the the security node at the local exchange 10 via the local 

loading procedure is suspect, either on the part of the access line 12. In this way, a terminal can be unambiguously 

customer or the service provider, then local loading will be 45 identified to the network. The volume of data forming the 

available to avoid the potential threat to transmission along authentication, and the time constraints on the authentication 

the local access line 12. process, determine the main characteristics of the process. It 

The strength of the security provided by the authentica- has been assessed that about 10 to 20 bytes of data need to 

tion process has to be traded off against the need to keep the transported in both directions between the local exchange 10 

delay before a dial lone is established to a minimum. A 50 and the NTE 14. 

cyclic redundancy check (CRC) is provided only if the bit It is possible that the security algorithm f,- and associated 

transport mechanism for the network itself does not provide signalling mechanism could be provided in the form of 

error checking. More than one (i.e. j) secret numbers are equipment connected at the exchange line card interface of 

stored in the NTE processor so that each can be specified, the local exchange 10. In this case, each subscribing cus- 

either in turn or when one becomes compromised, as nec- 55 tomer has to have the equipment which corresponds to the 

essary without interruption or loss of service to the customer. NTE. 

The security node will send a challenge at least three A System X exchange possesses powerful real-time corn- 
times using the same random number n, in the event that the puter systems upon which all the main exchange processes 
NTE 14 does not respond, or a transmission error is detected. are executed. In practice, it is found that local exchanges are 

Of course, in the case of an illegitimate user no reply will 6Q bound by memory limitations rather than processing capa- 

be generated in response to a challenge. Thus, the security bilities. Therefore, there tends to be a surplus of processor 

node is programmed with a time-out facility. At the end of power available in the exchange where the chosen security 

the predetermined duration, the local exchange 10 sends the algorithm could be executed. 

dial tone to the illegitimate user in the same way as would This would dictate that precise details of the security 
be done for a negative authentication. 65 algorithm were made available to external suppliers of the 

In some circumstances, the NTE 14 may detect an invalid interfaces for it to be built or programmed in. In effect, the 

challenge due to corrupted data which it is programmed whole implementation would have to be disseminated to 
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third parties. This may be seen as being undesirable, in view signals where a signalling path has been extended to the 

of the highly important role the security algorithm plays in security node. Alternatively, the security information may be 

maintaining the integrity of the authentication procedure. transferred to the local exchange using main network sig- 

Advanced intelligent network (AIN) architectures present nailing, 

an alternative to the above. In this case, the security algo- 5 The security node is connected to the local exchange's 

rithm could be moved onto a co-located 'adjunct' processor. trunk signalling systcm . Each authentication request will 

This would be external to the exchange system, and would result in a call t0 me securily node which be dimen- 

require appropriate interfaces with the exchange equipment. sioncd t0 ^ 0QC 0f more local cxcha cs . A kcy mi 

This could be achieved hrougb a diree t connection with the element of ^ ^ theref ^ embodied by the 

exchanges processor (e.g. via an Ethernet connection). „ , ,. . , , c „ . „ . 

Alternatively, it could be achieved via a special signalling 10 n ° dc which sh ° uld havc the followM S major com- 

connection on the adjunct processor and a PCM stream, or ponents. 

analogue connection, to the local exchange switching sys- Appropriate Signalling System 

tern. Digital Transmission System 

Where the adjunct processor connects to the exchange FSK Off-Hook Signalling System 

processor, special modifications have to be carried out to all 15 Computing System 

the local exchanges. This would include hardware modifi- n k 

cations to support the computer-computer communications Database 

link, e.g. the introduction of an Ethernet port. Security Algorithm 

An alternative approach is to move the security algorithm System Management System 

into a self-contained element, or security node, within the 20 In a digital exchange, such as a System X exchange, its 

central processor of the network. Appropriate signalling central processor provides the essential call control and 

links to the rest of the network, and associated software service logic functions and is, therefore, an obvious location 

modifications, could then provide the necessary communi- for all the necessary software required by the proposed 

cations between the node and the authentication customer security node aspects of the authentication system. In this 

equipment. This has the advantage over the previous 25 case, when the concentrator indicates to the central proces- 

arrangement in that a number of exchanges could be served sor that a line has gone off-hook, the central call control 

by a single security node. Customers may, therefore, be functions generate the required authentication challenge 

spread over a number of exchanges rather than having to be data, and transmit this to the NTE 14 via the FSK modem 34 

directly connected. in the concentrator — rather than responding immediately 

Authentication based upon extensive modifications to 30 with a connect dial-tone instruction. The concentrator then 

existing or planned exchange hardware does not offer a good passes either the returned FSK challenge acknowledgement 

solution. For this reason, an adjunct processor solution is not to the central processor, or it returns an indication that no 

considered to be appropriate to a telephone network. FSK data was received within the specified response time. 

Assuming that there was sufficient processor time and Call processing may then determine what level of service to 

memory available, mounting the security algorithm on the 35 be set for the rest of the call, and instruct the concentrator to 

local exchange processor would require releasing the secu- return the appropriate dial tone (via a conventional Send All 

rity information outside of the exchange proprietor. Digits message). 

A separate security node solution requires modifications Since this approach requires only FSK capabilities along 

to individual local exchange equipment that can be limited with the normal telephony facilities within the concentrator; 

to software sub-systems in the central processor. In addition, 40 and relies-upon modifications to main exchange software, it 

a single node could be connected to several local exchanges. offers a very flexible route to service provision in an 

Service can, therefore, be provided to a large number of exchange. This is because central software modules are 

customers by a single security node. This solution, therefore, loaded from tape or other flexible media — as opposed to 

has the advantage over the others that the authentication being held as firmware — and provide service to the whole 

service is justifiable to a small, but significant, number of 45 exchange structure, rather than just associated concentrator 

customers spread over a number of exchanges. lines. 

With the existing analogue telephony service, the An alternative approach to providing the majority of the 
exchange responds to the initiating telephone 'looping* the authentication capabilities in the central processor would be 
line by the application of dial tone. This conventional state to provide all the main functions within the concentrator 
in the 'call moder is modified such that the network will use 50 unit. Only once a call attempt had been validated, would 
this as the trigger point for generating an authentication central call processing be notified, along with the level of 
challenge. Only once this challenge has been correctly service to be provided, i.e. rather than indicating the off- 
acknowledged by an appropriately-configured authenticat- hook condition to the central call processing software, the 
ing telephone or other equipment, will the network permit concentrator would authenticate the off-hook condition and 
normal telephony service to proceed for that call attempt. 55 then inform central call processing that the line was off-hook 
Failure correctly to respond to the challenge within a pre- and request the appropriate level of service dependent upon 
determined time limit will force the local exchange to limit whether the call attempt had passed or failed authentication, 
telephony service for that call to a pre-deter mined subset of As a further alternative, in a split central processor/ 
the functions normally available, e.g. emergency and opera- concentrator solution, the authentication algorithm can be 
tor services. 60 incorporated in the central exchange processor, but with the 

In either the exchange line card arrangement or the analysis of the challenge acknowledgement being performed 

separate node arrangement, a notional or actual security by the concentrator. Upon the off-hook condition being 

node is created through which calls subject to authentication detected, the concentrator would forward this signal to the 

must pass. Note that it could also be providing other network central processor and receive from it the authentication 

based services concurrently with the authentication. 65 challenge and the expected acknowledgement. This data 

In this case, it is implied that the signalling messages could be generated during idle time on the processor, such 

originate at the security node. These take the form of FSK as during the night, when spare processor capacity could be 
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used to produce sets of authentication data for the next day. dition of separate non-authenticating user equipment and 

In either case, whether the data is generated on-line or without further user intervention, the line being connected to 

off-line, it would be up to the concentrator to determine a network termination unit, said network termination unit 

whether the response from the NTE matched that expected no t functioning as a user terminal and having a port for 

and to indicate to the central processor which level of service s removable operative connection to said separate non- 

should be provided. authenticating user equipment, the method comprising the 

A complementary solution to the split central processor/ sle p S 0 f. 

concentrator is the split concentrator/central processor solu- j '■ «m_ i c ^ 

tion. In this case, the decision logic is within the central call ****** . off - hook condlUon of the se P arale Don " 

processing, and the authentication algorithm is located 1fl authenticating user equipment; 

within the concentrator. When a line enters the off-hook indicating to a security node associated with the network 

state, the concentrator generates both the challenge and the that a user of the network termination unit requires use 

expected acknowledgement. The challenge is then transmit- of the network; 

ted to the NTE and the concentrator awaits the receipt of the calculating an authentication code at the network termi- 

NTE response. The central processor then receives the nation unit, the authentication code being a function of 

response from the NTE via the concentrator along with the 15 a transaction number encrypted by means of at least 

received response, performs the comparison with the one first key associated with the termination unit, and 

expected response, and sets up the appropriate level of an algorithm; 

service. transmitting the authentication code to the security node; 

What is claimed is: calculating an expected authentication code at the security 

1. A telecommunications station for use with a telecom- node based on ^ fransaction nTim ber, the algorithm 
munications network, said station performing an authenti- and said at least one first key; 

cation process in which said station exchanges authentic*- comp aring the expected authentication code with the 

tion signals with the network and permits exchange of received authenticatioD code; and 

telecommunications traffic with the network only when said , . . . , . , c 4 . 

• /•» * j i i * • • 25 denying unrestricted access to the network for the net- 

authentication process is successful, said station comprising: J , . . . . . . , . , 

, Y . . , r work termination unit unless the expected and received 

a network termination unit with a network port for con- authentication codes match. 

nection to said network, and a terminal port for con- 4 A method as c]aimed fa daim 3 m whicQ me securft 

nection to separate non- authenticating user equipment; nodc calculatcs said at lcast one first key for thc network 

separate non-authenticating user equipment removably 3Q termination unit, each said at least one first key being a 

connected to said terminal port; function of a security algorithm stored within the node, an 

wherein: identification code for the network termination unit and a 

said network termination unit contains circuitry, con- second key, each said at least one first key being loaded into 

nected to said network port, for performing said me network termination unit for later use with the first 

authentication process automatically upon detection 35 algorithm in authenticating a line. 

of an off-hook condition indicating initiation of use 5. A method as claimed in claim 4, in which a first key is 

of said separate non-authenticating user equipment loaded into the network termination unit remotely by the 

and without further user intervention, and a switch security node, or locally from storage means connected 

connected between said terminal port and said net- temporarily to the unit. 

work port, said switch being responsive to signals 40 6. A method as claimed in claim 3, in which the security 

from said authentication circuitry to permit exchange node generates the transaction number, which is sent as a 

of said telecommunications traffic between said user challenge to the network termination unit in response to the 

equipment and said network only when said authen- indication received by the security node that the user 

tication process is successful. requires use of the network. 

2. An authentication station for connection between a 45 7. a method as claimed in claim 3, in which the network 
telecommunications network and separate non- termination unit transmits a negative acknowledgment to the 
authenticating user equipment, comprising: security node when no challenge, or an invalid challenge, is 

a network port for connecting the authentication station to received following an indication that the user requires use of 

the telecommunications network; the network, 

a terminal port for removably connecting the authentica- so 8. A method as claimed in claim 3, in which the security 

tion station to the separate non-authenticating user node permits a dial tone to be established with the network 

equipment, said separate non-authenticating user termination unit independent of the result of the authenti- 

equipmcnt being incapable of providing authentication cation. 

for any other equipment connected thereto; and 9. A method as claimed in claim 3, in which the telecom- 
authentication circuitry for automatically, upon detection 55 munications network has a plurality of exchanges, each for 
of an off-hook condition indicating initiation of use of routing traffic to, and from, a plurality of network termina- 
said separate non- authenticating user equipment and tion units, at least one of the exchanges having the security 
without further user intervention, exchanging authen- node associated therewith. 

tication signals with the network and permitting 10. A system for authenticating lines of a communications 
exchange of telecommunications traffic between the 60 network automatically upon detection of an off-hook con- 
telecommunications network and the separate non- dition of separate non-authenticating user equipment each 
authenticating user equipment only when an authenti- connected to the network via a network termination unit and 
cation process between the telecommunications net- without further user intervention, comprising: 
work and said authentication station permits said a plurality of network termination units each connected to 
exchange. 65 the network, each of said plurality of network termi- 

3. A method of authenticating a line of a communications nation units not functioning as a user terminal and 
network automatically upon detection of an off-hook con- having a terminal port for removable operative con- 
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nection to said separate non-authenticating user equip- 
ment compatible with the network, at least one of the 
network termination units comprising processing 
means including a memory, and signaling means oper- 
ably connected to the network and enabled by the 5 
processing means, the signaling means being arranged 
to transmit to the line an authentication code automati- 
cally after a potential user initiates a use of the network, 
the authentication code being calculated by the pro- 
cessing means as a function of a transaction number io 
encrypted by means of an algorithm and a key associ- 
ated with that network termination unit; and 
a security node operable to receive authentication codes 
from the network termination units, to determine 
whether a received code corresponds, in accordance 15 
with said algorithm, to the transaction number a key 
corresponding to that network termination unit, and to 
deny unrestricted access to the network for that unit 
unless such correspondence is found. 

11. A system as claimed in claim 10, in which the security 20 
node includes means operable to calculate the first key as a 
function of a security algorithm stored in the node, an 
identification code for that network termination unit, and a 
second key, and to transmit the first-mentioned key to that 
unit for later use in the authentication of that unit. 25 

12. A system as claimed in claim 10, in which the security 
node further includes means operable to generate the trans- 
action number, and node signaling means for sending the 
transaction number as a challenge to a line in response to an 
indication received by the security node that the user of that 30 
line requires use of the network. 

13. A system as claimed in claim 10, in which the network 
termination unit includes means for transmitting a negative 
acknowledgment to the security node when no challenge, or 

an invalid challenge, is received following an indication that 35 
the user requires use of the network. 

14. A system as claimed in claim 10, in which the network 
is a telecommunications network having a plurality of 
exchanges, each for routing traffic to, and from, a number of 
network termination units, at least one of the exchanges 40 
having the security node associated therewith. 

15. A system as claimed in claim 14, in which the security 
node is arranged to permit a dial tone to be established with 
that network termination unit independent of the result of the 
authentication. 45 

16. A network termination unit for a communications 
network, the network termination unit not functioning as a 
user terminal and comprising a terminal port for removable 
operative connection to separate non-authenticating user 
equipment compatible with the network, a network port for 50 
connecting the network termination unit to a line of the 
network, processing means including a memory, and signal- 
ing means arranged to traasmit signals through the network 
port, the processing means being operable, following initia- 
tion of use of the network by a user, to automatically, upon 55 
detection of an off- hook condition of said separate non- 
authenticating user equipment connected to said network 
termination unit and without further user intervention, cal- 
culate an authentication code which is a function of a 
transaction number encrypted by means of an algorithm and 60 
a key stored in the processing means and to enable the 
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signaling means to transmit the authentication code through 
the network port. 

17. A network termination unit as claimed in claim 16, in 
which the processing means is arranged to receive signals 
through the network port and is responsive to a challenge 
signal from the network to calculate the authentication code 
and to enable the signaling means, the transaction number 
being obtained from the challenge signal. 

18. A network termination unit as claimed in claim 17, in 
which the processing means includes error checking means 
for signals received through the network port, the processing 
means being operable to enable the signaling means to 
transmit a negative acknowledgment in the event that an 
invalid challenge is received from the network. 

19. A communications network comprising: 

a plurality of network termination units connected to the 
network, said network termination units not function- 
ing as a user terminal and including a terminal port for 
removable operative connection to separate non- 
authenticating user equipment; 

at least one of said plurality of network termination units 
comprising a processor, said processor including a 
memory and a signaling circuit enabled by said pro- 
cessor and operatively connected to the network; 

said signaling circuit being arranged to transmit an 
authentication code automatically, upon detection of an 
off-hook condition of said separate non-authenticating 
user equipment connected to said network termination 
unit and without further user intervention, said authen- 
tication code being determined by the processor based 
on a transaction number encrypted by an algorithm and 
a key associated with the network termination unit; and 

a security node operable to receive authentication codes 
from the network termination units, said security node 
further determining whether a received code corre- 
sponds to the transaction number and a key correspond- 
ing to that network termination unit, said security node 
denying unrestricted access to the network for that unit 
unless a correspondence is found. 

20. A network termination unit that does not function as 
a user terminal comprising: 

a terminal port for removably operatively connecting the 
network termination unit to separate non-authenticating 
user equipment; 

a network port for connecting the network termination 
unit to a line of a communications network; and 

a processor including a memory and a signaling circuit 
arranged to transmit signals through the network port, 
said processor being operable, automatically, upon 
detection of an off-hook condition of said separate 
non-authenticating user equipment connected to said 
network termination unit and without further user 
intervention, to determine an authentication code based 
on a transaction number encrypted by means of an 
algorithm and a key stored in the processor, said 
processor further enabling the signaling circuit to trans- 
mit the authentication code through the network port. 
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